New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
149.202.83.171 - Mining Pool
37.187.95.110 - Mining Pool
91.121.140.167 - Mining Pool
94.23.23.52 - Mining Pool
94.23.247.226 - Mining Pool
178.128.242.134 - xmrig donate pool
The other one doesn't seem to be related to the mining process.
I don't think so, at least it doesn't match the hash I found
the password is debian10svm
It's said in here: https://tdn.solusvm.com/
From the blog post mentioned in the OP, password hash for
debianuser
is$6$WFiwDS/pPh5PRyPr$wLFwNWzE1vkNWbm2h/qqhSStLdqr0czHNSW6GqnnF5hycGQ.AfFTvNoNfCqegPsjveARh6mITTsqNz9ClYY.b0
I don't know if that's correct, but it doesn't match
debian10svm
(openssl passwd -6 -salt WFiwDS/pPh5PRyPr debian10svm
)Yeah it doesn't.
However, referring to a much newer post at a different website (not that I can understand the Chinese language):
It matches the hash for
debian10svm
.Wow, I just see this.
Checked all my VPS, and it seems all of them are fine. No debianuser, and I have CPU logs which looks fine. I think I do not need to reinstall them.
If it's recently you most likely haven't installed much, so the safer way is to just reinstall.
Btw key or pass I also like to set
AllowUsers
which would also block this case.KVM, openvz 7? Is it only the solusvm template that has this backdoor, or is it the vz template itself?
KVM. Not sure if it affects OpenVZ as I don't know many hosts that actually use OpenVZ (other than very lowend NAT providers).
The backdoor was specifically in SolusVM's template from https://tdn.solusvm.com/.
I just noticed that this was covered in a news article by TheRegister last month: https://www.theregister.com/2021/02/07/in_brief_security/
It wasn't Racknerds who found it though.
reinstalled.
Cool story, bro.
Thankfully I'm still running Debian 6 so I'm safe
Brilliant -- why didn't we think of this?
Wait, didn't realise this thread was so old before I posted that. Could have sworn it was on the front page
It's OK, it was worth a good laugh.
yeah thats long gone even if some random servers in asia still have it most comapnies def got rid of it